=== syzkaller on FreeBSD

Contact: Mark Johnston <markj@FreeBSD.org>
Contact: Michael Tuexen <tuexen@FreeBSD.org>

syzkaller is a coverage-guided operating system kernel fuzzer.
See the link:https://www.freebsd.org/status/report-2019-01-2019-03.html#Fuzzing-FreeBSD-with-syzkaller[syzkaller entry] in the 2019q1 quarterly report for an introduction to syzkaller.

In the past quarter we made a concerted effort to shrink the backlog of reports from the public link:https://syzkaller.appspot.com/freebsd[syzbot] instance.
A number of long-standing locking bugs in the socket subsystem have been fixed, and the SCTP protocol implementation has seen many bug fixes as well.
Beyond that, link:https://github.com/freebsd/freebsd-src/search?o=desc&q=syzbot+OR+syzkaller&s=committer-date&type=commits[many bugs] in various other kernel subsystems have been fixed and the backlog has become substantially smaller over the past quarter.
As a direct result of this effort, we have been able to identify regressions more easily and fix bugs closer to the time of introduction.
Work is still ongoing to further shrink the backlog.

KASAN (Kernel Address SANitizer) was enabled in the default kernel configuration used by syzbot, which has greatly enhanced our ability to root-cause and fix kernel bugs.
See the link:https://www.freebsd.org/status/report-2021-04-2021-06/#_kernel_sanitizers[kernel-sanitizers entry] in the 2021q2 quarterly report for an introduction to KASAN and KMSAN.
KASAN helps ensure that memory safety bugs manifest more deterministically, improving syzkaller's ability to find reproducers and simplifying debugging.

A KMSAN (Kernel Memory SANitizer) port was committed to FreeBSD's main branch in August.
Some initial work has been done to make it usable by syzkaller (mainly, kcov(4) required several small modifications to work in a KMSAN-enabled kernel), and a number of bugs were found and fixed using private syzkaller instances.

Goals for the next several months include:

* Addition of a KMSAN target in syzbot.
* Further reduction in the syzbot backlog.
* Upstreaming syzkaller patches to support fuzzing of the Linuxulator.
* Fuzzing using ZFS-based VM images.

Sponsor: The FreeBSD Foundation
